Define the UAC Group Policy Settings

Updated: June 21, 2010

Applies To: Windows 7, Windows Server 2008 R2

There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC Group Policy settings and provide recommendations.

While UAC Group Policy settings enable IT departments to choose how to configure UAC, there are some considerations that should be weighed when creating a new security policy.

The elevation prompt

Windows 7 includes a security policy setting that can be used to prevent the elevation prompt from being imitated. This policy setting (User Account Control: Switch to the secure desktop when prompting for elevation) switches the active user desktop to the secure desktop when a process requests elevation. The secure desktop is accessible only to core Windows processes, and malicious software (malware) cannot communicate with the secure desktop. As a result, all elevation prompts on the secure desktop cannot be controlled by applications on the user desktop. This policy setting is disabled by default in Windows 7.

Applications that are not UAC compliant

Disabling the User Account Control: Run all administrators in Admin Approval Mode policy setting turns UAC off. When UAC is turned off, files and folders are no longer virtualized to per-user locations for applications that are not UAC compliant, and all local administrators are automatically logged on with a full administrative access token. Disabling this setting causes Windows 7 to revert to the Windows XP user model. While some applications that are not compatible with UAC may recommend turning UAC off, it is not necessary to do so because Windows 7 includes folder and registry virtualization for applications that are not UAC compliant by default. Turning UAC off exposes your computer to system-wide malware installations. If this setting is changed, a system restart is required for this change to take effect.

Unused UAC Group Policy settings

Virtualization is used to enable applications that are not UAC compatible to work properly in Windows 7. If only UAC-compatible applications are used in your environment, the User Account Control: Virtualize file and registry write failures to per-user locations Group Policy setting is unnecessary and can be disabled.

Because installers typically write to protected areas, such as the Program Files folder, the Win32 model usually requires installers to run in an administrative context. The User Account Control: Detect application installations and prompt for elevation policy setting invokes an elevation prompt when an installer is detected. If all available applications are deployed with Configuration Manager or another technology, elevation on installers is not necessary because the elevation is done automatically by the installer service, which runs as SYSTEM. In this type of environment, this policy setting can be disabled.

Application run-time behavior

Whether an application can start is dependent on the combination of the requested execution level in the application compatibility (shim) database and the user rights available to the user account that starts the application. The following tables identify the run-time behavior for an application based on combinations of the user privileges and shims that are applied.

An administrator in Admin Approval Mode

The following table describes the run-time behavior of an application for an administrator based on the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting when different shims are installed.

Parent process access token

Policy setting

Shim applied from the application compatibility database

None or RunAsInvoker

RunAsHighest

RunAsAdmin

Protected admin

Elevate without prompting

Application starts as a standard user without prompting

Application starts with a full administrative access token and with no prompt

Application starts with a full administrative access token and with no prompt

Protected admin

Prompt for consent on the secure desktop

Application starts with a full administrative access token and prompts for consent on the secure desktop

Application starts with a full administrative access token and prompts for consent on the secure desktop

Protected admin

Prompt for credentials on the secure desktop

Application starts with a full administrative access token and prompts for credentials on the secure desktop

Application starts with a full administrative access token and prompts for credentials on the secure desktop

Protected admin

Prompt for credentials

Application starts with a full administrative access token and prompts for credentials on the user's interactive desktop

Application starts with a full administrative access token and prompts for credentials on the user's interactive desktop

Protected admin

Prompt for consent

Application starts with a full administrative access token and prompts for consent on the user's interactive desktop

Application starts with a full administrative access token and prompts for consent on the user's interactive desktop

Protected admin

Prompt for consent for non-Windows binaries

Non-Windows application starts as a standard user

Non-Windows application starts with a full administrative access token and prompts for consent on the user's interactive desktop

Non-Windows application starts with a full administrative access token and prompts for consent on the user's interactive desktop

Administrator (UAC is disabled)

Not applicable

Application starts with a full administrative access token and with no prompt

Application starts with a full administrative access token and with no prompt

Application starts with a full administrative access token and with no prompt

A standard user account

The following table describes the run-time behavior of an application for a standard user based on the User Account Control: Behavior of the elevation prompt for standard users policy setting when different shims are installed.

Parent process access token

Consent policy

Shim applied from the application compatibility database

RunAsInvoker

RunAsHighest

RunAsAdmin

Standard user

Automatically deny elevation requests

Application starts as a standard user

Application starts as a standard user

Application does not start

Standard user

Prompt for credentials

Application starts as a standard user

Application starts as a standard user

Prompts for administrator credentials on the user's interactive desktop

Standard user

Prompt for credentials on the secure desktop

Application starts as a standard user

Application starts as a standard user

Prompts for administrator credentials on the secure desktop

Standard user (UAC is disabled)

Not applicable

Application starts as a standard user

Application starts as a standard user

Application does not start

A standard user with additional privileges (such as backup operator)

The following table describes the run-time behavior of an application for a standard user with additional privileges based on the User Account Control: Behavior of the elevation prompt for standard users policy setting when different shims are installed.

Parent process access token

Consent policy

Shim applied from the application compatibility database

RunAsInvoker

RunAsHighest

RunAsAdmin

Standard user

No prompt

Application starts as a standard user

Application does not start

Application does not start

Standard user

Prompt for credentials

Application starts as a standard user

Prompts for credentials, and then runs as a standard user with additional privileges

Prompts for administrator credentials on the user's interactive desktop

Standard user

Prompt for credentials on the secure desktop

Application starts as a standard user

Prompts for credentials, and then runs as a standard user with additional privileges

Prompts for administrator credentials on the secure desktop

Standard user (UAC is disabled)

Not applicable

Application starts as a standard user

Prompts for credentials, and then runs as a standard user with additional privileges